org.springframework:spring-web 4.3.14.RELEASE vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.springframework:spring-web package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
L Improper Handling of Case Sensitivity org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform. Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to `String.toLowerCase()` having some Locale dependent exceptions that could potentially result in fields not protected as expected. Note: The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. How to fix Improper Handling of Case Sensitivity? Upgrade `org.springframework:spring-web` to version 6.1.14 or higher.	[,6.1.14)
M Denial of Service (DoS) org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform. Affected versions of this package are vulnerable to Denial of Service (DoS) in the form of improper ETag prefix validation when parsing ETags from the `If-Match` or `If-None-Match` request headers. An attacker can exploit this vulnerability to cause denial of service by sending a maliciously crafted conditional HTTP request. How to fix Denial of Service (DoS)? Upgrade `org.springframework:spring-web` to version 5.3.38, 6.0.23, 6.1.12 or higher.	[,5.3.38)[6.0.0,6.0.23)[6.1.0,6.1.12)
M Open Redirect org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform. Affected versions of this package are vulnerable to Open Redirect when `UriComponentsBuilder` is used to parse an externally provided URL and perform validation checks on the host of the parsed URL. Note: This is the same as CVE-2024-22259 and CVE-2024-22243, but with different input. How to fix Open Redirect? Upgrade `org.springframework:spring-web` to version 5.3.34, 6.0.19, 6.1.6 or higher.	[,5.3.34)[6.0.0,6.0.19)[6.1.0,6.1.6)
H Open Redirect org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform. Affected versions of this package are vulnerable to Open Redirect when using `UriComponentsBuilder` to parse an externally provided `URL` and perform validation checks on the host of the parsed URL. Note: This is the same as CVE-2024-22243, but with different input. How to fix Open Redirect? Upgrade `org.springframework:spring-web` to version 5.3.33, 6.0.18, 6.1.5 or higher.	[,5.3.33)[6.0.0,6.0.18)[6.1.0,6.1.5)
H Open Redirect org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform. Affected versions of this package are vulnerable to Open Redirect when `UriComponentsBuilder` parses an externally provided URL, and the application subsequently uses that URL. If it contains hierarchical components such as path, query, and fragment it may evade validation. How to fix Open Redirect? Upgrade `org.springframework:spring-web` to version 5.3.32, 6.0.17, 6.1.4 or higher.	[,5.3.32)[6.0.0,6.0.17)[6.1.0,6.1.4)
H Improper Input Validation org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform. Affected versions of this package are vulnerable to Improper Input Validation. The protections against Reflected File Download attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a `jsessionid` path parameter. How to fix Improper Input Validation? Upgrade `org.springframework:spring-web` to version 4.3.29.RELEASE, 5.0.19.RELEASE, 5.1.18.RELEASE, 5.2.9.RELEASE or higher.	[3.2.0.RELEASE,4.3.29.RELEASE)[5.0.0.RELEASE,5.0.19.RELEASE)[5.1.0.RELEASE,5.1.18.RELEASE)[5.2.0.RELEASE,5.2.9.RELEASE)
L Denial of Service (DoS) org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform. Affected versions of this package are vulnerable to Denial of Service (DoS). A malicious user could add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. How to fix Denial of Service (DoS)? Upgrade `org.springframework:spring-web` to version 4.3.20.RELEASE, 5.0.10.RELEASE, 5.1.1.RELEASE or higher.	[4.2.0.RELEASE,4.3.20.RELEASE)[5.0.0.RELEASE,5.0.10.RELEASE)[5.1.0.RELEASE,5.1.1.RELEASE)
M Information Exposure org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform. Affected versions of this package are vulnerable to Information Exposure. It allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through `AbstractJsonpResponseBodyAdvice` for REST controllers, and `MappingJackson2JsonView` for browser requests. When `MappingJackson2JsonView` is configured in an application, JSONP support is automatically ready to use through the `jsonp` and `callback` JSONP parameters, enabling cross-domain requests. Allowing cross-domain requests from untrusted origins may expose user information to 3rd party browser scripts. How to fix Information Exposure? Upgrade `org.springframework:spring-web` to version 4.3.18.RELEASE, 5.0.7.RELEASE or higher.	[4.3.0.RELEASE,4.3.18.RELEASE)[5.0.0.RELEASE,5.0.7.RELEASE)
M Cross-Site Tracing (XST) org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform. Affected versions of this package are vulnerable to Cross-Site Tracing (XST). It allows web applications to change the HTTP request method to any HTTP method (including TRACE) using the `HiddenHttpMethodFilter` in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST attack. How to fix Cross-Site Tracing (XST)? Upgrade `org.springframework:spring-web` to version 4.3.18.RELEASE, 5.0.7.RELEASE or higher.	[4.3.0.RELEASE,4.3.18.RELEASE)[5.0.0.RELEASE,5.0.7.RELEASE)

Vulnerability

Vulnerable Version

Improper Handling of Case Sensitivity

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to String.toLowerCase() having some Locale dependent exceptions that could potentially result in fields not protected as expected.

Note: The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive.

How to fix Improper Handling of Case Sensitivity?

Upgrade org.springframework:spring-web to version 6.1.14 or higher.

[,6.1.14)

Denial of Service (DoS)

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Denial of Service (DoS) in the form of improper ETag prefix validation when parsing ETags from the If-Match or If-None-Match request headers. An attacker can exploit this vulnerability to cause denial of service by sending a maliciously crafted conditional HTTP request.

How to fix Denial of Service (DoS)?

Upgrade org.springframework:spring-web to version 5.3.38, 6.0.23, 6.1.12 or higher.

[,5.3.38)[6.0.0,6.0.23)[6.1.0,6.1.12)

Open Redirect

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Open Redirect when UriComponentsBuilder is used to parse an externally provided URL and perform validation checks on the host of the parsed URL.

Note: This is the same as CVE-2024-22259 and CVE-2024-22243, but with different input.

How to fix Open Redirect?

Upgrade org.springframework:spring-web to version 5.3.34, 6.0.19, 6.1.6 or higher.

[,5.3.34)[6.0.0,6.0.19)[6.1.0,6.1.6)

Open Redirect

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Open Redirect when using UriComponentsBuilder to parse an externally provided URL and perform validation checks on the host of the parsed URL.

Note: This is the same as CVE-2024-22243, but with different input.

How to fix Open Redirect?

Upgrade org.springframework:spring-web to version 5.3.33, 6.0.18, 6.1.5 or higher.

[,5.3.33)[6.0.0,6.0.18)[6.1.0,6.1.5)

Open Redirect

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Open Redirect when UriComponentsBuilder parses an externally provided URL, and the application subsequently uses that URL. If it contains hierarchical components such as path, query, and fragment it may evade validation.

How to fix Open Redirect?

Upgrade org.springframework:spring-web to version 5.3.32, 6.0.17, 6.1.4 or higher.

[,5.3.32)[6.0.0,6.0.17)[6.1.0,6.1.4)

Improper Input Validation

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Improper Input Validation. The protections against Reflected File Download attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

How to fix Improper Input Validation?

Upgrade org.springframework:spring-web to version 4.3.29.RELEASE, 5.0.19.RELEASE, 5.1.18.RELEASE, 5.2.9.RELEASE or higher.

[3.2.0.RELEASE,4.3.29.RELEASE)[5.0.0.RELEASE,5.0.19.RELEASE)[5.1.0.RELEASE,5.1.18.RELEASE)[5.2.0.RELEASE,5.2.9.RELEASE)

Denial of Service (DoS)

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Denial of Service (DoS). A malicious user could add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack.

How to fix Denial of Service (DoS)?

Upgrade org.springframework:spring-web to version 4.3.20.RELEASE, 5.0.10.RELEASE, 5.1.1.RELEASE or higher.

[4.2.0.RELEASE,4.3.20.RELEASE)[5.0.0.RELEASE,5.0.10.RELEASE)[5.1.0.RELEASE,5.1.1.RELEASE)

Information Exposure

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Information Exposure. It allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers, and MappingJackson2JsonView for browser requests. When MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the jsonp and callback JSONP parameters, enabling cross-domain requests. Allowing cross-domain requests from untrusted origins may expose user information to 3rd party browser scripts.

How to fix Information Exposure?

Upgrade org.springframework:spring-web to version 4.3.18.RELEASE, 5.0.7.RELEASE or higher.

[4.3.0.RELEASE,4.3.18.RELEASE)[5.0.0.RELEASE,5.0.7.RELEASE)

Cross-Site Tracing (XST)

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Cross-Site Tracing (XST). It allows web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST attack.

How to fix Cross-Site Tracing (XST)?

Upgrade org.springframework:spring-web to version 4.3.18.RELEASE, 5.0.7.RELEASE or higher.

[4.3.0.RELEASE,4.3.18.RELEASE)[5.0.0.RELEASE,5.0.7.RELEASE)

org.springframework:spring-web@4.3.14.RELEASE vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?